RESEARCH OUTPUTS / RÉSULTATS DE RECHERCHE
Author(s) - Auteur(s) :
Publication date - Date de publication :
Permanent link - Permalien :
Rights / License - Licence de droit d’auteur :
Bibliothèque Universitaire Moretus Plantin
Institutional Repository - Research Portal
Dépôt Institutionnel - Portail de la Recherche
researchportal.unamur.be
University of Namur
Presentation of RCIS paper
Feltus, Christophe
Publication date:
2015
Document Version
Peer reviewed version
Link to publication
Citation for pulished version (HARVARD):
Feltus, C 2015, Presentation of RCIS paper..
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research.
• You may not further distribute the material or use it for any profit-making activity or commercial gain
• You may freely distribute the URL identifying the publication in the public portal ?
Take down policy
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately
and investigate your claim.
ALIGNMENT OF REMMO WITH RBAC TO MANAGE
ACCESS RIGHTS IN THE FRAME OF ENTERPRISE
ARCHITECTURE
OVERVIEW
•
Introduction
•
Responsibility metamodel
•
ArchiMate extension with Responsibility
•
Method for the access rights management
OVERVIEW
•
Introduction
•
Responsibility metamodel
•
ArchiMate extension with Responsibility
•
Method for the access rights management
Context
INTRODUCTION
Context
INTRODUCTION
ok
Context
INTRODUCTION
ok
Roles
Context
INTRODUCTION
ok
7
Enterprise
Architecture
Responsibility as an hyphen
INTRODUCTION
Access rights
management
DAC
MAC
RBAC
ABAC
TRBAC
OrBAC
Responsibility
• Access rights management tends to consider business concepts
• Governance needs require to provide accurate access rights
• Responsibility is perceived as an hyphen between both worlds
Application layer
Business layer
Governance
needs
Responsibility
defined
Required
access rights
to perform
responsibility
Unrefined picture of zone of concepts
INTRODUCTION
COBIT
ISO/IEC
27000
ISO/IEC
38500
BASEL II
SOX
Responsibility needs capabilities
X
X
X
X
Responsibility generates responsibility
X
X
X
X
Responsibility composed of accountabilities
X
X
X
X
X
Responsibility concerns tasks
X
X
X
X
X
Responsibility defined by Governance rules
X
X
X
X
•
Considering the corporate and IT governance needs, what are the concepts which
constitute the core of the employee responsibility and how these concepts may be
associated in a dedicated Responsibility metamodel?
•
Responsibility metamodel
•
How may business/IT alignment be improved considering the responsibility, in the
context of enterprise architecture models, and for the field of access rights
management?
•
ArchiMate extension with the Responsibility metamodel
•
How may responsibility be mapped with the role based access control model and how
does this mapping enhances the engineering of roles?
•
Method for the access rights management
Designed artefacts
OVERVIEW
•
Introduction
•
Responsibility metamodel
•
ArchiMate extension with Responsibility
•
Method for the access rights management
•
Method
•
Review of the concepts from the literature
•
Concepts definition
•
Integration in the Responsibility metamodel
•
Limitations
•
Responsibility relates to business tasks
•
Responsibility are those of employees from bureaucratic organisations
•
Responsibility metamodel kept simple
Method and Limitations
Uncluttered view
RESPONSIBILITY METAMODEL
Task
Business Object
Responsibility
Actor
Right
Capability
Condition, Source
Governance rule
Task and Business object
RESPONSIBILITY METAMODEL
The BusinessTask TreatPatient uses the BusinessObject PatientFile
The BusinessTask SeekInformationAboutPathology uses the
BusinessObject PathologyKnowledgeBase
The StructuralTask ValidateTreatment concerns the BusinessTask
Actor, Responsibility, Accountability
RESPONSIBILITY METAMODEL
Alice plays the BusinessRole of IT specialist and is assigned to the Responsibility
which aggregates the Accountability to_do UpdatePathologyKnowledgeBase
The DoctorGeneral is assigned to the Responsibility which aggregates the
RESPONSIBILITY METAMODEL
The Accountability to_do TreatPatient requires the RightToUse the
PatientFile
The Accountability to_do the ManagementOfTheHospital requires
the Capability to Manage a team
Healthcare case study
OVERVIEW
•
Introduction
•
Responsibility metamodel
•
ArchiMate extension with Responsibility
•
Method for the access rights management
Type of mappings
ARCHIMATE EXTENSION
1-1 mapping
No mapping
Metamodel Integration
ARCHIMATE EXTENSION
merge
specialisation
Result
ARCHIMATE EXTENSION
Responsibility
element
ArchiMate element
Mapping
Integration
rule
Integrated element
Business Object
Business Object
1:1
Merge
Business Object
Task
Business Process
1:1
Specialisation
<<Task>>
R_Business Role
Business Role
1:1
Specialisation
<<R_BusinessRole>>
Responsibility
Business Role
1:1
Specialisation
<<Responsibility>>
Employee
Business Actor
1:1
Specialisation
<<Employee>>
Accountability
Business Function
1:1
Specialisation
<<Accountability>>
Right To Use
Access association
1:1
Specialisation
<<RightToUse>>
Sanction
-
-
Addition of
attribute
<<Accountability>>, Sanction:
Sanction description
Condition
-
-
Addition of
attribute
<<Accountability>>, Condition:
Condition description
Capability
-
-
Addition of
attribute
<<Accountability>>, Capability:
Capability description
Source
Driver
1:1
Specialisation
<<Source>
Illustration
OVERVIEW
•
Introduction
•
Responsibility metamodel
•
ArchiMate extension with Responsibility
•
Method for the access rights management
Principle
AR MANAGEMENT METHOD
Bu
sin
ess
La
y
er
Responsibilities
Responsibilities
Responsibilities
Responsibilities
ArchiMate
24
Ap
pl
ica
tion
La
y
er
Existing RBAC reference model in ArchiMate, Band (2011)
AR MANAGEMENT METHOD
Application function:
represents a behaviour
element that groups
automated behaviour
which can be
performed by an
application component
Data object:
represents a passive
element suitable for
automated processing
Responsibility-RBAC alignment
AR MANAGEMENT METHOD
Summary of the
AR Management Reference Model
AR MANAGEMENT METHOD
• Collects the list of employees
who need to access the
information system
• From the responsibilities
model in ArchiMate
• Output: Business object «List
of Users»
• List of users realized by data
object «Users»
Business role: RBAC administrator
Business processes:
• Populate the list of Users
• Populate the list of RBAC
Roles
• Populate the list of Permissions
• Populate the list of Users to RBAC
Roles assignments
• Populate the list of RBAC Roles to
OVERVIEW
•
Introduction
•
Responsibility metamodel
•
ArchiMate extension with Responsibility
•
Method for the access rights management
•
State of the art: Access Control Models and Governance needs
•
Access rights models/methods tend to consider business concepts (responsibility)
•
Governance requires the definition of responsibilities and associated access rights
•
3 main designed artefacts:
1.
Responsibility metamodel
2.
Responsibility extension of ArchiMate Business layer
3.
Method for access rights management based on the Responsibility alignment
with RBAC
•
Limitations
•
Evaluation mainly performed with case studies
•
Alignment only with RBAC model
REFERENCES
References
• Feltus, C. Aligning access rights to governance needs with the responsibility metamodel (ReMMo) in the frame of enterprise architecture, 2014, University of Namur, Belgium
• Sein, M.K., Henfridsson, O., Purao, S., Rossi, M., and Lindgren, R. Action design research. MIS Q., 35(1):37-56, March 2011.
• Petit, M., Feltus, C.,Vernadat, F. Enterprise Architecture Enhanced with Responsibility to Manage Access Rights - Case Study in an EU Institution, PoEM 2012, Rostock, Germany.
• Eric S.K.Y. Towards modeling and reasoning support for early-phase requirements engineering. RE '97, Washington, DC, USA, 1997. IEEE.
• Amyot, D., Horkoff, J., Gross, D., and Mussbacher, G. A lightweight GRL profilefor i* modeling. ER 2009 Workshops on Advances in Conceptual Modeling – Challenging Perspectives, Berlin, Heidelberg, 2009.
• Vernadat, F. Enterprise modelling and integration. In ICEIMT, pages 25-33. 2002.
• Parent, C. and Spaccapietra, S. Database integration: The key to data interoperability. Advances in Object-Oriented Data Modeling, 2000.
• Zivkovic, S., Kühn, H., and Karagiannis, D. Facilitate modelling using method integration: An approach using mappings and integration rules. ECIS 2007, pages 2038-2049. University of St. Gallen.
• The Open Group. ArchiMate® 2.1 Specification. Van Haren Publishing, The Netherlands. 2012-2013.
• Band, I. Modeling rbac with sabsa, togaf and archimate. In The Open Group Conference, Austin, Texas. 2011.
• Gaaloul, K. and Proper, H.A.E. An access control model for organisational management in enterprise architecture. In Proceedings of the 9th International Conference on Semantics, Knowledge and Grids. 2013.
• Cenys, A. Normantas, A., and Radvilavicius, L. Designing role-based access control policies with uml. Journal of Engineering Science and Technology Review, 2(1), 2009.
• Shin, M.E., and Ahn, G.-J. Uml-based representation of role-based access control, WETICE '00, pages 195-200, Washington, DC, USA, 2000.
• Ray, I., Li, N., France, R., and Kim, D.K., Using uml to visualize role-based access control constraints. SACMAT '04, NY, USA, 2004. ACM.
• Kim, D.K., Ray, I., France, R., and Li, N. Modeling role-based access control using parameterized uml models. FASE, vol. 2984. Springer, 2004.
• Anderson, A. Xacml profile for role based access control (rbac). Technical Report Draft 1, OASIS, February 2004.
• Object Management Group (OMG). Uml 2.4.1 superstructure specification. 2011.
• Storer, T., Lock, R. Modelling responsibility. Project working paper 7, indeed project. 2008.
• Sommerville, I. Models for responsibility assignment. Responsibility and Dependable Systems 165-186, Springer. 2007.
• Strens, R., and Dobson, J. How responsibility modelling leads to security requirements. NSPW, 143-149, NY, USA. 1993, 143-149.
• Feltus, C., Petit, M. and Dubois, E. Strengthening employee's responsibility to enhance governance of IT: COBIT RACI chart case study. WISG '09. ACM, New York, NY, USA, 23-32.
• Blind, P.K. Accountability in public service delivery: A multidisciplinary review of the concept. Vienna, Austria. 2001.
• Bovens, M. Two concepts of accountability: Accountability as a virtue and as a mechanism. West European Politics, 33(5):946-967. 2010.
• Dubnick, M.J. Situating accountability: Seeking salvation for the core concept of modern governance. TR, University of New Hampshire. 2007.
• White, S.A., Business process modeling notation v1.0. Technical report. 2004.
• Katranuschkov, P., Gehre, A., Scherer, R.J., Reusable process patterns for collaborative work environments in AEC. 13th ICE, Nottingham, UK. 2007.
• Fox, J.A. The uncertain relationship between transparency and accountability. Development in Practice, 17(4):663-671. 2007.
• Karp, A.H., Haury, H., Davis, M.H. From ABAC to ZBAC: The Evolution of Access Control Models, Information Systems Security Assoc. J., 2010.
• Pete A. Epstein. Engineering of role/permission assignments. PhD thesis, Fairfax, VA, USA, 2002.
• H Roeckle, G. Schimpf, and R. Weidinger. Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In RBAC '00: 5th ACM WS on RBAC, 2000.
• R. Crook, D. Ince, and B. Nuseibeh. Modelling access policies using roles in requirements engineering. Information and Software Technology, 45(14):979-991, 2003.
• R. Crook, D. Ince, and B.Nuseibeh. On modelling access policies: Relating roles to their organisationalcontext. RE’05, pp 157-166, 2005.
• R. Chandramouli. A framework for multiple authorization types in a healthcare application system. 17th Annual Computer Security Applications Conference, ACSAC '01, Washington, DC, USA, 2001.
• E. B. Fernandez and J. C. Hawkins. Determining role rights from use cases. Second ACM WS on Role-based access control, NY, USA, 1997.
• G.Neumann and M. Strembeck. A scenario-driven role engineering process for functional rbac roles. SACMAT '02, New York, NY, USA, 2002
• A. Kern, M. Kuhlmann, A. Schaad, and J. Moffett. Observations on the role life-cycle in the context of enterprise security management. SACMAT '02, New York, NY, USA, 2002.
• J. Vaidya, V. Atluri, and Q. Guo. The role mining problem: Finding a minimal descriptive set of roles. SACMAT '07, NY, USA, 2007.
• Ferraiolo, D.., et al. "Proposed NIST standard for role-based access control." ACM TISSEC, 4.3 (2001): 224-274.
• Ferraiolo, David, Janet Cugini, and D. Richard Kuhn. "Role-based access control (RBAC): Features and motivations." 11th ACSAC. 1995.